Oblivious DNS-over-HTTPS
https://www.schneier.com/blog/archives/2020/12/oblivious-dns-over-https.html Oblivious DNS-over-HTTPS This[new protocol](https://techcrunch.com/2020/12/08/cloudflare-and-apple-design-a-new-privacy-...), called Oblivious DNS-over-HTTPS (ODoH), hides the websites you visit from your ISP.
Here’s how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.
IETF[memo](https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-02). The[paper](https://arxiv.org/pdf/2011.10121.pdf):
Abstract:The Domain Name System (DNS) is the foundation of a human-usable Internet, responding to client queries for host-names with corresponding IP addresses and records. Traditional DNS is also unencrypted, and leaks user information to network operators. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) havebeen gaining traction, ostensibly protecting traffic and hiding content from on-lookers. However, one of the criticisms ofDoT and DoH is brought to bear by the small number of large-scale deployments (e.g., Comcast, Google, Cloudflare): DNS resolvers can associate query contents with client identities in the form of IP addresses. Oblivious DNS over HTTPS (ODoH) safeguards against this problem. In this paper we ask what it would take to make ODoH practical? We describe ODoH, a practical DNS protocol aimed at resolving this issue by both protecting the client’s content and identity. We implement and deploy the protocol, and perform measurements to show that ODoH has comparable performance to protocols like DoH and DoT which are gaining widespread adoption,while improving client privacy, making ODoH a practical privacy enhancing replacement for the usage of DNS.
On Thu, 10 Dec 2020 02:17:36 +0000 coderman <coderman@protonmail.com> wrote:
Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been gaining traction, ostensibly protecting traffic and hiding content from on-lookers.
obviously a lie
However, one of the criticisms ofDoT and DoH is brought to bear by the small number of large-scale deployments (e.g., Comcast, Google, Cloudflare):
yes and that's the actual reason for that new garbage protocol, and that's what they are going to implement. DNS will be directly contolled by amazon-shitflare-google-NSA, like everything else.
Oblivious DNS over HTTPS (ODoH) safeguards against this problem.
won't happen (assuming it works as advertised, which in turn is likely to be yet another lie).
On Thu, Dec 10, 2020 at 02:17:36AM +0000, coderman wrote:
https://www.schneier.com/blog/archives/2020/12/oblivious-dns-over-https.html
Oblivious DNS-over-HTTPS
This[new protocol](https://techcrunch.com/2020/12/08/cloudflare-and-apple-design-a-new-privacy-...), called Oblivious DNS-over-HTTPS (ODoH), hides the websites you visit from your ISP.
Here’s how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.
IETF[memo](https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-02).
The[paper](https://arxiv.org/pdf/2011.10121.pdf):
Abstract:The Domain Name System (DNS) is the foundation of a human-usable Internet, responding to client queries for host-names with corresponding IP addresses and records. Traditional DNS is also unencrypted, and leaks user information to network operators. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) havebeen gaining traction, ostensibly protecting traffic and hiding content from on-lookers. However, one of the criticisms ofDoT and DoH is brought to bear by the small number of large-scale deployments (e.g., Comcast, Google, Cloudflare): DNS resolvers can associate query contents with client identities in the form of IP addresses. Oblivious DNS over HTTPS (ODoH) safeguards against this problem. In this paper we ask what it would take to make ODoH practical? We describe ODoH, a practical DNS protocol aimed at resolving this issue by both protecting the client’s content and identity. We implement and deploy the protocol, and perform measurements to show that ODoH has comparable performance to protocols like DoH and DoT which are gaining widespread adoption,while improving client privacy, making ODoH a practical privacy enhancing replacement for the usage of DNS. ---end quoted text---
i heard it requires to attach a pubkey to the request which cloudflare uses to encrypt to the response. 1/ pubkey crypto expensive 2/ cloudflare can still track you based on your pubkey it's the usual creepy cloudflare shit. fuck cloudflare!
participants (3)
-
coderman
-
Punk-BatSoup-Stasi 2.0
-
stef